On Sept. 21, news broke that a tool Experian, one of the three major credit bureaus, has on its site to retrieve the PIN needed to remove credit freezes had a major security flaw. While such a tool can be helpful, the problem is that accessing the tool is fairly simple, only requiring users to enter information that is likely to have been leaked in the recent Equifax breach (if not in an earlier breach), allowing almost anyone to unfreeze someone’s credit. Continue reading below as we go into detail about this tool, its security implications and the broader issues surrounding the security of the credit reporting industry.

What exactly is the Experian PIN verification tool?

Although the tool formally has no name — the page on Experian’s site is titled “Experian – PIN Reminder” — it’s a form that allows consumers to request the PIN Experian provided to them when they placed a credit freeze on their account. The tool asks consumers to enter key credentials like their name, address, social security number and email. The problem with this process, as many have pointed out, is that much of this information has likely been compromised in the recent Equifax breach or might already be readily available for sale in some corner of the dark web, which means that if someone knows this information and can get pass the identity-verification questions, they can easily retrieve someone’s PIN and thaw their frozen credit. Even if someone’s key credentials weren’t leaked in a breach, public records and social media make finding out many of these details fairly trivial.

While the above aspects make the tool security lax (despite having HTTPS and Extended Validation which of themselves are good security practices), what’s particularly egregious is that Experian encourages users to provide email addresses “for faster delivery of your results.” Given large email breaches, such as the Yahoo breach, and the fact that email phishing is particularly rampant, encouraging the delivery of highly sensitive information via email can set the stage for some particularly nasty hacks and social engineering campaigns down the line. Furthermore, without confirming the legitimacy of an email, it’s somewhat unclear if just any email address (or multiple email addresses for that matter) could be used to request a PIN.

Experian, in its own defense, points out that it has additional methods of verification that it doesn’t disclose. However, it’s unclear if these checks rely on information that’s easily verified. If randomized knowledge-based authentication questions are the only means by which Experian PIN retrieval requests are validated, then, as security expert Brian Krebs pointed out in his article, the tool is undeniably completely insecure. As we’ve discussed before, knowledge-based authentication, often used in online account security questions, is an easily defeated security measure because the inputs are static. Furthermore, if the answers to the questions are relatively straightforward, like with the information asked for in Experian’s PIN request, basic research on social media and public records will often allow anyone to answer knowledge-based authentication questions.

Should you still get a credit freeze with Experian?

Regardless of how insecure this tool is, it’s still advisable to place credit freezes with each of the credit bureaus. First off, this security “oversight” is believed to only affect Experian and, to be fair, no breaches through this tool have yet been reported. That said, the simplicity of this tool means that you’ll need to watch your Experian credit report like a hawk and constantly monitor the status of your freeze. At the very least, this incident proves that it’s no longer enough to set a freeze on your reports and forget about them. Even if Experian removes this tool or modifies it to be more secure, in the long run, it might just be better to check in on your credit freeze status frequently — remember that the bureau will send you a notice of a freeze/thaw via mail, so be on the lookout for those.

Why do these issues keep happening?

Sadly, this story comes right on the heels of Equifax gaffes earlier this week. Incidents like these seem to be part of a long line of issues which would be a comedy of errors were they not directly impacting Americans’ lives. The persistence of these mishaps across companies seems to suggest that there are perhaps fundamental problems with not just Equifax, but the entire credit reporting industry. Unfortunately, addressing these issues is beyond our abilities as consumers, but we should be cognizant of the fact that these issues do exist and could result in a substantial change to the industry should the government and perhaps even lenders and banks decide to change how credit reporting is managed. In the meanwhile, it seems that we not only have to monitor our reports and other sensitive accounts as frequently as possible, but we also have to play an active role in managing our own cybersecurity. Reading about all these breaches and security flaws can be exhausting, but on the bright side with regards to this particular issue, nothing seems to indicate that the other bureaus’ methods for PIN verification are as insecure as Experian’s, although another day will likely reveal yet another security issue.

To stay up to speed regarding the fallout of the Equifax breach, keep reading our dedicated Equifax breach blog. And to know the latest about emerging breaches and hacks, keep reading our security breach blog.

Has anyone been able to actually monitor the status of an Experian secutity freeze? I tried but did not see an option on their website to do this. So I thought I would click on place a security freeze which would tell me that I already had a security freeze. Well that didnt work and instead they wanted my credit card info for the freeze fee. My concern is that someone will obtain my Experian pin number, yes it would be very easy to do and then remove my freeze and I will have no way of knowing. And you can not reach a live person when you call their support phone number. Any thoughts?

Leave a Reply

Thank you for your comment! It's currently being reviewed by our editors.

About Author

Michael Osakwe

Michael Osakwe is a NextAdvisor.com writer covering technology and a multitude of personal finance topics. His research has been featured in interviews with publications like Forbes, U.S. News & World Report, The International Business Times, and several others, He is a graduate of the University of California, Berkeley with a BA in Political Economy and a minor in Public Policy. You can follow him on Twitter @Michael_Advsr.

Advertiser Disclosure: NextAdvisor is a consumer information site that offers free reviews and ratings of online services. Many of the companies whose services we review provide us compensation when someone who clicks from our site becomes their customer. This is how we make money to support our site. The results of our analyses, calculators, reviews and ratings are based on objective quantitative and qualitative evaluation of all the cards on our site and are not affected by any compensation NextAdvisor may receive. Compensation may impact which products we review and write about and where those products appear. We do not review all products in a given category. All opinions expressed on this site are our own.